CN114567476B

CN114567476B - Data security protection method and device, electronic equipment and medium

Info

Publication number: CN114567476B
Application number: CN202210169525.2A
Authority: CN
Inventors: 陈武
Original assignee: Tianyi Safety Technology Co Ltd
Current assignee: Shenzhen Lian Intellectual Property Service Center; Tianyi Safety Technology Co Ltd
Priority date: 2022-02-23
Filing date: 2022-02-23
Publication date: 2024-02-13
Anticipated expiration: 2042-02-23
Also published as: CN114567476A

Abstract

The embodiment of the application discloses a data security protection method, a data security protection device, electronic equipment and a medium, which can be applied to the field of security protection. The method comprises the following steps: when a data downloading instruction for first data sent by a first client is received, a first key for the first data and a key interface address of the first key are obtained from a key system; encrypting the first data through a first key to obtain first encrypted data; generating a corresponding first interface calling code according to the key interface address of the first key; and combining the first encrypted data with the first interface calling code to obtain first target encrypted data, and sending the first target encrypted data to the first client. By adopting the embodiment of the application, the data security is improved. The embodiment of the application can also be applied to the technical field of blockchain, such as storing the first key and the unique data identification of the first data in the blockchain in a correlated way.

Description

Data security protection method and device, electronic equipment and medium

Technical Field

The application is applied to the field of safety protection, and particularly relates to a data safety protection method, a data safety protection device, electronic equipment and a medium.

Background

At present, the uploading or downloading of data in each service system is in a plaintext form such as word, excel, txt, and if a user views the data through other unknown software or systems after downloading the data from the system, the data is easy to leak, so that how to improve the security of the data is a problem to be solved.

Disclosure of Invention

The embodiment of the application provides a data security protection method, a data security protection device, electronic equipment and a medium, which are beneficial to improving the security of data.

In one aspect, an embodiment of the present application discloses a data security protection method, where the method includes:

when a data downloading instruction for first data sent by a first client is received, a first key for the first data and a key interface address of the first key are obtained from a key system;

encrypting the first data through the first key to obtain first encrypted data;

generating a corresponding first interface calling code according to the key interface address of the first key, wherein the first interface calling code is used for calling a corresponding key interface according to the key interface address of the first key to acquire the first key when decrypting the first encrypted data;

And combining the first encrypted data with the first interface calling code to obtain first target encrypted data, and sending the first target encrypted data to the first client.

In another aspect, an embodiment of the present application discloses a data security protection apparatus, the apparatus including:

an obtaining unit, configured to obtain, from a key system, a first key for first data and a key interface address of the first key when a data download instruction for the first data sent by a first client is received;

the processing unit is used for carrying out encryption processing on the first data through the first key to obtain first encrypted data;

the processing unit is further configured to generate a corresponding first interface call code according to a key interface address of the first key, where the first interface call code is configured to call a corresponding key interface according to the key interface address of the first key to obtain the first key when decrypting the first encrypted data;

the processing unit is further configured to obtain first target encrypted data according to the combination of the first encrypted data and the first interface call code, and send the first target encrypted data to the first client.

In yet another aspect, an embodiment of the present application provides an electronic device, including a processor, a memory, wherein the memory is configured to store a computer program, the computer program including program instructions, the processor configured to perform the steps of:

encrypting the first data through the first key to obtain first encrypted data;

In yet another aspect, embodiments of the present application provide a computer readable storage medium having stored therein computer program instructions for performing the following steps when executed by a processor:

encrypting the first data through the first key to obtain first encrypted data;

In yet another aspect, embodiments of the present application disclose a computer program product or computer program comprising computer instructions stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium and executes the computer instructions to cause the computer device to perform the data security protection method described above.

According to the method and the device for obtaining the first target encrypted data, when the data downloading instruction is received, the first key for the first data and the key interface address of the first key are obtained from the key system, the first data are encrypted through the first key, the first encrypted data are obtained, and corresponding first interface calling codes are generated according to the key interface address of the first key, so that the first key is obtained according to the first interface calling codes when decryption processing is carried out later, and the first target encrypted data are obtained according to the combination of the first encrypted data and the first interface calling codes. Therefore, the first data can be encrypted, so that the data downloaded by the user is encrypted data, the user is prevented from checking through other unknown software or systems, and the encrypted data is stored in the key system, so that the encrypted data is required to be acquired by calling a key interface when decryption processing is carried out, the risk of key leakage is reduced, and the security of the data is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic structural diagram of a data security protection system according to an embodiment of the present application;

fig. 2 is a flow chart of a data security protection method according to an embodiment of the present application;

fig. 3 is a flow chart of a data security protection method according to an embodiment of the present application;

fig. 4 is a schematic structural diagram of a data security device according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.

According to the data security protection scheme, when a data downloading instruction is received, a first key aiming at first data and a key interface address of the first key are obtained from a key system, encryption processing is further carried out on the first data through the first key, first encrypted data are obtained, a corresponding first interface calling code is generated according to the key interface address of the first key, the first key is obtained according to the first interface calling code in the subsequent decryption processing, and further first target encrypted data are obtained according to the combination of the first encrypted data and the first interface calling code. Therefore, the first data can be encrypted, so that the data downloaded by the user is encrypted data, the user is prevented from checking through other unknown software or systems, and the encrypted data is stored in the key system, so that the encrypted data is required to be acquired by calling a key interface when decryption processing is carried out, the risk of key leakage is reduced, and the security of the data is improved.

In a possible implementation manner, a data security protection system is provided in the embodiment of the present application, and referring to fig. 1, fig. 1 is a schematic structural diagram of a data security protection system provided in the embodiment of the present application, where the data security protection system may include a client, a server, and a key system. Wherein the server may be configured with the security protection scheme described above. And, the server may be provided with a corresponding business system, such as a collaborative office system, a financial system, and other application systems, etc., without limitation. The client can be a client provided by a service system, and an account authorized by the service system is logged in the client. When a user processes a service based on a service system, the user can send an instruction to a corresponding server through a client provided by the service system so as to realize a corresponding function. For example, a user sends a data downloading instruction to a server based on a client provided by a service system, the data downloading instruction is used for indicating downloading data from the service system, the server encrypts the data through a data security protection scheme provided by the application, and then the encrypted data is returned to the client, so that the data finally downloaded by the user is encrypted data. For another example, the client sends a data acquisition instruction (also referred to as a data viewing instruction) for the data encrypted by the data security protection method to the server, where the data acquisition instruction is used to instruct to acquire plaintext data of the data for display, and the server may decrypt the data encrypted by the data security protection method, so that a user can view the plaintext data through the client of the service system.

The key system may be a system for generating and managing keys. The key system may be configured to receive a request sent by the server, and perform a corresponding response process on the request sent by the server, so as to return a corresponding request result. For example, when the key system receives a key generation instruction sent by the server, the key system generates a corresponding key and returns the key to the server. For another example, when the key system receives a key acquisition request sent by a server, the key system can verify the authority of the server initiating the key acquisition request, the effective duration of the key acquired by the request and other information according to the key acquisition request, if the verification is passed, the key can be returned to the server, and if the verification is not passed, the key can not be returned to the server, so that the security of the key for encrypting the data can be improved, and the security of the data is further improved.

It should be noted that, unless specifically noted otherwise, in the specific embodiments of the present application, related data such as user information is referred to, and when the embodiments of the present application are applied to specific products or technologies, user permission or consent is required, and collection, use and processing of related data are required to comply with related laws and regulations and standards of related countries and regions.

The technical scheme of the application can be applied to electronic equipment, wherein the electronic equipment can be a terminal, a server or other equipment for data security protection, and the application is not limited. Optionally, the method comprises the steps of. The server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and can also be a cloud server for providing cloud services, cloud databases, cloud computing, cloud storage, network services, middleware services, basic cloud computing services such as big data and artificial intelligent platforms and the like. The terminal may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, etc.

Based on the above description, the embodiment of the application provides a data security protection method. Referring to fig. 2, fig. 2 is a flow chart of a data security protection method according to an embodiment of the present application. The method may be performed by the above-mentioned electronic device. The data security method may include the following steps.

S201, when a data downloading instruction for first data sent by a first client is received, a first key for the first data and a key interface address of the first key are obtained from a key system.

The data downloading instruction for the first data is used for instructing the downloading of the first data from the service system as described above. The first data may be any plaintext data that needs to be downloaded, for example, the first data may be file data in a format of word, excel, txt or the like. The first client may be any client. In one possible scenario, a user may click on a control in a first client to instruct downloading of first data, and the first client may send a data download instruction for the first data to an electronic device (e.g., a server).

In one possible implementation manner, after receiving the data downloading instruction for the first data, the electronic device may obtain the first key for the first data and the key interface address of the first key from the key system, and specifically includes the following steps: (1) and sending a key generation instruction to a key system. (2) Receiving a first key and a key interface address of the first key, which are returned by a key system and are aimed at the first data; the key interface address of the first key includes a unique data identifier of the first data, the unique data identifier being generated by the key system.

The key generation instruction is used for instructing the key system to generate a corresponding key. It will be appreciated that the key system, upon receiving the key generation instruction, may randomly generate a key of the target number of bits, e.g., may generate a 64-bit key as the first key. And, the key system may also generate a unique data identification for the first data, which may be a unique identification for the data, which may be a character string of a target length, which may be composed of one or more of letters, numbers, or visible characters for indicating characters that may be directly input through the keyboard, such as characters "_x", or the like. For example, the key system may generate a string "58E15f61R4DR7S78TWR8271" as the unique data identification for the first data. It will be appreciated that the key system may generate a string of the same length as the unique data identification of the corresponding data at the key generation instructions for each of the different data. The unique data identification may also be referred to as a data ID, a file ID, etc. The key system may store the generated key in association with the unique data identifier of the data to the storage area for subsequent retrieval of the corresponding key according to the unique data identifier.

In one possible implementation, when the key system generates the unique data identifier, a set of character strings may be randomly generated as the unique data identifier; the corresponding unique data identifier can also be generated according to the receiving time sequence of the key generation instruction, for example, the last 5-bit character of the unique data identifier can be the sequence of receiving the key generation instruction, if the key system receives the key generation instruction for the 2000 st time, the last 5-bit character can be 02000; the corresponding unique data identifier can be generated according to the data format of the data corresponding to the key generation instruction, if the data format of the data is word, the character of the target position in the unique data identifier can be a character string corresponding to the word format, and similarly, the character of the target position in the unique data identifier of the data in the formats of excel, txt, ppt and the like can be a corresponding character string; alternatively, the key system may also generate a unique data identification of the data in accordance with other means, which are not done here.

The key system can also issue a key interface of the first key and generate a key interface address of the first key, wherein the key interface can be an interface for acquiring a corresponding key when the encrypted data is decrypted, and the key interface address is a Uniform Resource Location (URL) address corresponding to the key interface and can be used for calling the key interface through the key interface address when the encrypted data is decrypted to acquire the corresponding key.

In a possible implementation manner, the key interface address of the first key generated by the key system may be generated according to the unique data identifier of the first data, and then the key interface address of the first key may include the unique data identifier of the first data, so that the key interface address of the key of each data is associated with the unique data identifier of the data, and further the key interface addresses of different data are different, which is helpful for protecting the key and improving the security of the key. For example, https:// ph-xxx.com.cn/getSecKeyFor58E15f614 DR7S78TWR8271.Do, wherein suffix 58E15f61R4DR7S78TWR8271 is the unique data identification of the first data. And the key system returns the first key and the key interface address of the first key to the electronic equipment sending the key generation instruction after generating the first key and the key interface address of the first key.

In one possible implementation manner, the source, the domain name, the effective duration of the key, and the like of the interface caller can be verified in the interface logic of the key interface of the first key issued by the key system, so that the key interface performs related verification on the interface caller when the subsequent key interface is called. Wherein the source of the interface caller may be used to indicate the device identification of the electronic device that acquired the key, etc. The domain name is used for indicating domain name information of a service system corresponding to the electronic equipment for acquiring the secret key. It can be understood that the interface logic of the issued key interface can be configured with information such as the source and domain name of the interface call passing verification, which is equivalent to the configuration of the interface caller with authorization, so that the interface can be prevented from being successfully called by the interface caller without authorization, and the key can be prevented from being acquired after exceeding a certain validity period through verification of the validity period of the key, so that the security of the key can be ensured, and the security of data can be further improved.

The key system may also record a time of generation of the first key and determine a validity period of the first key when generating the first key. The time of generation of the first key may be a time at which the key system generated the first key. The validity period of the first key may be used to indicate the duration of the validity period of the first key. Thus, when the key interface is called, the key interface can compare the effective duration of the first key with the effective duration of the first key according to the time difference between the generation time of the first key and the called time of the key interface so as to verify the effective duration of the first key. For example, the generation time of the first key is t1, and the effective duration of the first key may be 3 days (i.e. 72 hours), when the interface caller calls the key interface of the first key at t2, if t2-t1 is less than or equal to 72 hours, the effective duration verification of the key is passed, and if t2-t1 is greater than 72 hours, the effective duration verification of the key is not passed.

S202, encrypting the first data through a first key to obtain first encrypted data.

The first encrypted data is the data after the first data is encrypted. The encryption processing of the first data may be performed by the first key. In one possible implementation, the encryption of the first data by the first key may be performed using a symmetric encryption algorithm, such as an AES algorithm. It will be appreciated that the encryption algorithm that employs symmetric encryption encrypts data using the same key as the encryption algorithm that decrypts the encrypted data.

S203, generating a corresponding first interface calling code according to the key interface address of the first key.

The first interface calling code is used for calling a corresponding key interface according to a key interface address of the first key to acquire the first key when decrypting the first encrypted data. The first interface call code may include interface call logic to call a key interface indicated by a parameter value of an interface parameter, the parameter value of the interface parameter in the first interface call code being a first key interface address.

In one possible implementation, the first interface call code may be generated by adjusting parameters in the initial interface call code to automatically generate the first interface call code. The method specifically comprises the following steps: (1) and acquiring an initial interface calling code. The initial interface calling code comprises interface calling logic, and the interface calling logic is used for calling a key interface indicated by a parameter value of an interface parameter. In one possible implementation, the code type of the code called at the initial interface may be java, python, etc., without limitation. (2) And updating the parameter value of the interface parameter according to the key interface address of the first key, and determining the updated initial interface calling code as the first interface calling code. The parameter value of the interface parameter in the initial interface call code may be null or an initial value, without limitation. And then the parameter value of the interface parameter can be replaced by the key interface address of the first key, and then the key interface corresponding to the first key interface address can be called through the interface calling logic included in the first interface calling code when the data are decrypted later.

S204, the first target encrypted data is obtained according to the combination of the first encrypted data and the first interface calling code, and the first target encrypted data is sent to the first client.

The first target encrypted data may be data that is finally downloaded by the user. The first target encrypted data is obtained according to the combination of the first encrypted data and the first interface calling code, and the first interface calling code can be added into the first encrypted data. For example, the first encrypted data is: the first interface calling code may be: tttttttttttt, the first interface calling code may be added to the first encrypted data, so that the first target encrypted data may be obtained as follows: xxxxxxxtttttttxxxxxxx. Therefore, the interface calling code and the encrypted data can be fused to obtain the finally downloaded data, so that the interface calling code in the downloaded data can be analyzed when the downloaded data is decrypted later, and further a key required by decryption is obtained.

In a possible implementation manner, when the first target encrypted data is obtained through combination, the encrypted data and the interface calling code can be distinguished by adding a key identification pair, so that the interface calling code can be quickly identified when the interface calling code is analyzed later.

Optionally, the obtaining the first target encrypted data according to the combination of the first encrypted data and the first interface calling code may include the following steps: (1) and adding a key identification pair before and after the first interface calling code, wherein the key identification pair is used for identifying the position of the first interface calling code. The key identification pair may be a pair of special identification symbols, which may be one symbol or a plurality of symbols, such as "@ secret" @ x ", etc. The two special identifiers in the key pair may be the same or different, and are not limited herein. For example, the first interface call code may be: if the special identifier added before the first interface calling code is "@ secret", the special identifier added after the first interface calling code is "@ x", the first interface calling code added with the key identifier pair is: the @ is a @ secret ttttttttttt @; if the special identifier added before the first interface calling code is "@ secret", and the special identifier added after the first interface calling code is "@ secret", the first interface calling code added with the key identifier pair is: the @ is dense ttttttttttt @ is dense. (2) And adding the first interface calling code added with the key identification pair into the first encrypted data to obtain first target encrypted data. For example, the first encrypted data is: the first interface calling code may be: the tttttttttttt is that the first interface calling code added with the key identification pair is added into the first encrypted data, so that the first target encrypted data can be obtained as follows: xxxxxxx@close ttttttttttt@close xxxxx.

Optionally, the first target encrypted data is obtained by combining the first encrypted data with the first interface calling code, and the method further includes the following steps: (1) and adding a key identification pair before and after the first interface calling code, wherein the key identification pair is used for identifying the position of the first interface calling code. (2) And carrying out encryption processing on the first interface calling code added with the key identifier to obtain an encrypted calling code. The first interface call code after the key identifier is added is encrypted, and encryption processing can be performed in an encryption mode without a key, for example, encryption is performed by adopting algorithms such as Base64 and Base 32. It can be understood that, although the encryption processing is performed on the first interface calling code after the key identifier is added, the encryption is performed in an encryption mode without a key, by adding an encryption means, an unauthorized service system or software can determine an encryption method adopted for the encryption processing on the first interface calling code after the key identifier is added through continuous try, so that the difficulty of maliciously acquiring data by the unauthorized service system or software is improved, and the security of the data is further improved. (3) And adding the encryption calling code into the first encrypted data to obtain first target encrypted data. The manner of adding the encrypted calling code to the first encrypted data is the same as the manner of adding the first interface calling code after adding the key identifier pair to the first encrypted data, which is not described herein. For example, the first encrypted data is: the first interface calling code may be: the tttttttttttt is added with the first interface calling code after the key identification pair is added as follows: the method comprises the steps of @ secret ttttttttttt @ secret, and further, performing Base64 encryption on a first interface call code added with a key identification pair to obtain an encrypted call code, wherein the encrypted call code comprises the following steps: 77+lqowvhnr0dh0dhldo+/puclr 4 y=, and further the first target encrypted data obtained after adding the encrypted calling code to the first encrypted data may be: xxxxxxxx77+lqowvhnr0 dHR0dHR0 do+/puclr4y=xxxxxxxx.

Optionally, the first target encrypted data is obtained by combining the first encrypted data with the first interface calling code, and the first calling code can be encrypted first, and then key identification pairs are added before and after the first calling code after the encryption processing, so that the first calling code after the encryption processing, to which the key identification pairs are added, is added into the first encrypted data.

Referring to fig. 3, fig. 3 is a flow chart of a data security protection method according to an embodiment of the present application. The method may be performed by the electronic device described above. The data security protection method specifically comprises the following steps.

S301, when a data acquisition instruction for second data is detected, second target encrypted data corresponding to the second data is acquired.

The second target encrypted data is obtained according to the combination of the second encrypted data and the second interface calling code. The second target encrypted data corresponds to data obtained by processing the second data by the method of the embodiment shown in fig. 2. It is understood that the second data may or may not be the first data, which is not limited herein. The second encrypted data may be data obtained by encrypting the second data with a second key, and the second interface call code may be used to obtain the second key required for decrypting the second data when decrypting the second encrypted data. It will be appreciated that the electronic device that generates the second target encrypted data corresponding to the second data may be the electronic device (or service system) that receives the data acquisition instruction, or may not be the electronic device (or service system) that receives the data acquisition instruction, which is not limited herein.

The data acquisition instruction may be sent by a second client, which may be any client, and the second client may be the same or different from the first client, which is not limited herein. For example, if the user a needs to upload the second target encrypted data through the client of the service system a and view the second target encrypted data, when the user a uploads the second target encrypted data based on the client and clicks a control indicating to view plaintext data (i.e., second data) corresponding to the second target encrypted data, the client corresponding to the user a sends a data acquisition instruction for the second data to the electronic device provided with the service system a, where the client corresponding to the user a is the second client. For another example, if the user B needs to view the plaintext data of the second target encrypted data uploaded by the user a, and the user B clicks a control indicating to view the plaintext data (i.e., the second data) corresponding to the second target encrypted data, the client corresponding to the user B sends a data acquisition instruction for the second data to the electronic device provided with the service system a, where the client corresponding to the user B is the second client, that is, the second client may be a client for uploading the second target data corresponding to the second data, and there may be a client for uploading the second target data corresponding to the second data, which is not limited herein.

In a possible scenario, when a user downloads data in a service system configured with the data security protection method, the method shown in fig. 2 may be used to obtain target encrypted data corresponding to the data, if the user needs to view the target encrypted data, the target encrypted data may be uploaded to the service system through a client, so that an electronic device provided with the service system may decrypt the target encrypted data to obtain plaintext data of the target encrypted data, and then the electronic device returns the plaintext data of the target encrypted data to the client for display. Therefore, the user can only view the data encrypted by the service system (or other service systems mutually trusted with the service system) through the service system, so that the safety of the data is improved.

S302, acquiring a second interface calling code from the second target encrypted data.

The second interface calling code is used for calling a corresponding key interface to acquire a second key required for decrypting the second data, namely, a second key for encrypting the second data.

In one possible implementation manner, the second interface calling code is acquired from the second target encrypted data, and the position of the second interface calling code can be determined by determining the key identification pair in the second target encrypted data, so that the second interface calling code is quickly acquired. This is because a key identification pair is added before and after the second interface call code when the second target encrypted data is generated, wherein the relevant description for the key identification pair can refer to the relevant description of S204, which is not limited herein.

Optionally, if the second target encrypted data is generated by adding the key identifier pair before and after the second interface call code, and adding the second interface call code after adding the key identifier pair to the second encrypted data, so as to obtain the second target encrypted data, the second interface call code is obtained from the second target encrypted data, and the method may include the following steps: and determining key identification pairs in the second target encrypted data, and determining data between the key identification pairs as second interface calling codes. For example, the second target encrypted data is: the method comprises the steps that if two special identification signs in a key identification pair are "@ secret", data between the two "@ secret" are determined to be a second interface calling code, namely the second interface calling code is: tttttttttttt.

Optionally, if when generating the second target encrypted data, after adding the key identifier pair before and after the second interface call code, encrypting the second interface call code after adding the key identifier pair to obtain a corresponding encrypted call code, and further adding the encrypted call code to the first encrypted data to obtain the first target encrypted data, then obtaining the second interface call code from the second target encrypted data, and further including the following steps: and carrying out decryption processing on the second target encrypted data, determining a key identification pair according to the decrypted second target encrypted data, and determining data between the key identification pair in the decrypted second target encrypted data as a second interface calling code. It will be appreciated that the decryption method employed for decrypting the second target encrypted data corresponds to the encryption method employed for encrypting the second interface call code after the addition of the key identifier. For example, the second target encrypted data is: if two special identifier symbols in the key identifier pair are "@ secret", then the second target encrypted data is decrypted, for example, the decrypted second target encrypted data obtained by adopting Base64 decryption processing includes data: the @ secret ttttttttttt @ secret, then the data between the two @ secret's is determined as the second interface call code, namely, the second interface calling code is as follows: tttttttttttt.

Optionally, if the second target encrypted data is obtained by combining the second encrypted data with the second interface calling code, the second calling code is encrypted, and then a key identifier pair is added before and after the encrypted second calling code, so that the encrypted second calling code with the key identifier pair is added to the second encrypted data to obtain the second target encrypted data, and then the second interface calling code is obtained from the second target encrypted data, and the method further includes the following steps: and determining a key identification pair in the second target encrypted data, and decrypting the data between the key identification pair to obtain a second interface calling code.

S303, calling a corresponding key interface according to the key interface address in the second interface calling code to obtain a second key required for decrypting the second encrypted data.

The second key may be a key required for decrypting the second encrypted data, and the parameter value of the interface parameter in the second interface call code may indicate a key interface address for obtaining the second key.

In one possible implementation, step S303 may include the steps of: (1) sending a key acquisition request to a corresponding key interface according to a key interface address in the second interface calling code; (2) receiving a second key required by decryption processing of the second encrypted data returned by the key system; the second key is returned by the key interface after the verification of the effective duration of the second key is passed through the key system, and the key interface compares the effective duration of the second key with the effective duration of the second key according to the time difference between the generation time of the second key and the time when the key interface is called so as to verify the effective duration of the second key.

Wherein the key acquisition request is used for instructing to acquire a second key required for decrypting the second encrypted data. It can be understood that after the key interface verifies the key obtaining request, the key system can obtain the corresponding key from the storage area according to the unique data identifier included in the key interface address, that is, obtain the second key, and return the second key to the electronic device.

Specifically, the specific description of the verification of the validity duration of the second key by the key interface may refer to the related description in step S201, which is not described herein in detail. It can be appreciated that if the key interface verifies the validity duration of the second key, the key system may obtain the second key and return the second key to the electronic device; if the validity duration verification of the second key by the key interface is not passed, a prompt message can be returned to the electronic device to prompt the electronic device that the key indicated by the key interface address has exceeded the validity duration, so that the electronic device returns a prompt message to the client to prompt the user that the second key exceeds the validity duration.

In one possible implementation manner, as described above, the key interface may further verify the source, domain name, etc. of the electronic device (i.e., the interface caller) that sends the key acquisition request, and if the verification is passed, the key system acquires the corresponding key from the storage area; if the verification is not passed, the electronic equipment does not have the authority of decrypting the second encrypted data, and the key system does not acquire the corresponding key from the storage area, so that the electronic equipment cannot receive the second key returned by the key system and required for decrypting the second encrypted data, thereby being beneficial to improving the security of the key, avoiding that any software or business system can acquire the key required for decrypting the encrypted data at will and improving the security of the data.

S304, acquiring second encrypted data from the second target encrypted data.

The obtaining the second encrypted data from the second target encrypted data may be deleting the second interface calling code added with the key identifier pair from the second target encrypted data, or deleting the encrypted calling code added with the second interface calling code added with the key identifier pair, so as to obtain the second encrypted data.

S305, decrypting the second encrypted data according to the second key to obtain second data, and sending the second data to the second client.

The decryption method used for decrypting the second encrypted data according to the second key corresponds to an encryption algorithm used for encrypting the second data, and if the encryption algorithm used for encrypting the second data is an AES algorithm, the decryption method used for decrypting the second encrypted data according to the second key may also be an AES algorithm, which is not described herein. The second client may receive the returned second data and display the acquired second data so that the user may view the second data through the client.

In one possible scenario, the embodiments of the present application may be applied to multiple mutually trusted business systems. The mutually trusted service system is used for indicating the service system which can pass the verification of the domain name, the source and the like when the key system verifies the calling party of the interface. For example, when the user 1 needs to download the data M from the service system a and then send the data M to the user 2, the user 1 can obtain the target encrypted data corresponding to the data M by the method of the embodiment shown in fig. 2 when the data M is downloaded from the service system a, further, since the data M is already encrypted, the whole process that the user 1 sends the target encrypted data corresponding to the data M to the user 2 can ensure the security of the data, when the user 2 views the data M, the user 2 can only view the data through the service system a or other systems mutually trusted with the service system, for example, the user 2 uploads the data to the service system B mutually trusted with the service system a, and when viewing the data M through the service system B, the service system B can acquire the corresponding key through the method shown in fig. 3 to decrypt the target encrypted data corresponding to the data M, and when the key is acquired, the key interface can verify the device identifier and domain name information of the service system B, and if the verification is passed, the user 2 can only view the target encrypted data corresponding to the data M through the service system a mutually trusted with the service system a, and further, the user 2 can view the data M through the service system B. It can be understood that, if the user 2 uploads the target encrypted data of the data M to the service system C that is not mutually trusted with the service system a to view the data M, since the service system C is not mutually trusted with the service system a, when the electronic device corresponding to the service system invokes the key interface, the key interface is not verified by the caller of the key interface, and thus the data M cannot be viewed, so that the security of the data can be greatly improved. It can be understood that different file data can be authorized to be decrypted for corresponding service systems, and the same file can be decrypted for different service systems, so that the mutual trust of the files and the isolation of the files of each service system can be enhanced, the data traffic degree between the service systems can be thinned to the file dimension, the safety between the systems can be enhanced, and barriers between the systems can be avoided.

According to the method and the device for obtaining the second data, when the data obtaining instruction aiming at the second data is detected, the second target encrypted data corresponding to the second data is obtained, and then the second interface calling code is obtained from the second target encrypted data, so that the corresponding key interface is called according to the key interface address in the second interface calling code, a second key required for decrypting the second encrypted data is obtained, and then the second encrypted data is decrypted according to the second key, so that the second data is obtained. Therefore, the target encrypted data of the second data can be decrypted, so that the user can upload the encrypted data obtained by downloading to the service system for checking, the user is prevented from checking through other unknown software or systems, and the encrypted data is stored in the key system, and the key interface is required to be called for obtaining when the decryption is performed, so that the risk of key leakage is reduced, and the security of the data is improved.

Referring to fig. 4, fig. 4 is a schematic structural diagram of a data security device according to an embodiment of the present application. Optionally, the data security device may be disposed in the electronic device. As shown in fig. 4, the data security device described in this embodiment may include:

An obtaining unit 401, configured to obtain, when receiving a data download instruction for first data sent by a first client, a first key for the first data and a key interface address of the first key from a key system;

a processing unit 402, configured to perform encryption processing on the first data through the first key to obtain first encrypted data;

the processing unit 402 is further configured to generate a corresponding first interface call code according to a key interface address of the first key, where the first interface call code is configured to call a corresponding key interface according to the key interface address of the first key to obtain the first key when performing decryption processing on the first encrypted data;

the processing unit 402 is further configured to obtain first target encrypted data according to the combination of the first encrypted data and the first interface calling code, and send the first target encrypted data to the first client.

In one implementation, the processing unit 402 is further configured to:

when a data acquisition instruction for second data is detected, acquiring second target encrypted data corresponding to the second data; the data acquisition instruction is sent by a second client, and the second target encrypted data is obtained according to the combination of the second encrypted data and a second interface calling code;

Acquiring a second interface calling code from the second target encrypted data;

calling a corresponding key interface according to a key interface address in the second interface calling code to obtain a second key required for decrypting the second encrypted data;

acquiring second encrypted data from the second target encrypted data;

and decrypting the second encrypted data according to the second key to obtain the second data, and sending the second data to the second client.

In one implementation, the processing unit 402 is specifically configured to:

sending a key acquisition request to a corresponding key interface according to a key interface address in the second interface calling code;

receiving a second key which is returned by the key system and is required for decrypting the second encrypted data; the second key is returned by the key system after the key interface verifies the effective duration of the second key, and the key interface compares the effective duration of the second key with the effective duration of the second key according to the time difference between the generation time of the second key and the time when the key interface is called to verify the effective duration of the second key.

In one implementation, the processing unit 402 is specifically configured to:

adding a key identification pair before and after the first interface calling code, wherein the key identification pair is used for identifying the position of the first interface calling code;

and adding the first interface calling code added with the key identification pair into the first encrypted data to obtain first target encrypted data.

In one implementation, the processing unit 402 is specifically configured to:

encrypting the first interface calling code added with the key identifier to obtain an encrypted calling code;

and adding the encryption calling code to the first encrypted data to obtain first target encrypted data.

In one implementation, the processing unit 402 is specifically configured to:

acquiring an initial interface calling code, wherein the initial interface calling code comprises interface calling logic, and the interface calling logic is used for calling a key interface indicated by a parameter value of an interface parameter;

and updating the parameter value of the interface parameter according to the key interface address of the first key, and determining the updated initial interface call code as a first interface call code.

In one implementation, the processing unit 402 is specifically configured to:

sending a key generation instruction to the key system;

receiving a first key for the first data returned by the key system and a key interface address of the first key; the key interface address of the first key comprises a unique data identifier of the first data, and the unique data identifier is generated by the key system.

Referring to fig. 5, fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application. The electronic device described in the present embodiment includes: a processor 501, and a memory 502. Optionally, the electronic device may further include a network interface or a power module. Data may be exchanged between the processor 501 and the memory 502.

The processor 501 may be a central processing unit (Central Processing Unit, CPU) which may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

The network interface may include input devices, such as a control panel, microphone, receiver, etc., and/or output devices, such as a display screen, transmitter, etc., which are not shown. For example, in an embodiment of the application, the network interface may include a receiver and a transmitter.

The memory 502 may include read only memory and random access memory and provides program instructions and data to the processor 501. A portion of memory 502 may also include non-volatile random access memory. Wherein the processor 501, when calling the program instructions, is configured to execute:

encrypting the first data through the first key to obtain first encrypted data;

In one implementation, the processor 501 is further configured to:

acquiring second encrypted data from the second target encrypted data;

In one implementation, the processor 501 is specifically configured to:

sending a key generation instruction to the key system;

Optionally, the program instructions may further implement other steps of the method in the above embodiment when executed by the processor, which is not described herein.

The present application also provides a computer readable storage medium storing a computer program comprising program instructions that, when executed by a processor, cause the processor to perform the above method, such as the method performed by the above electronic device, which is not described herein in detail.

Alternatively, a storage medium, such as a computer readable storage medium, to which the present application relates may be nonvolatile or may be volatile.

Alternatively, the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created from the use of blockchain nodes, and the like. The blockchain referred to in the application is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm and the like. The Blockchain (Blockchain), which is essentially a decentralised database, is a string of data blocks that are generated by cryptographic means in association, each data block containing a batch of information of network transactions for verifying the validity of the information (anti-counterfeiting) and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, an application services layer, and the like.

It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the described order of action, as some steps may take other order or be performed simultaneously according to the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required in the present application.

Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of the above embodiments may be implemented by a program to instruct related hardware, the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.

Embodiments of the present application also provide a computer program product or computer program comprising computer instructions stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the steps performed in the embodiments of the methods described above. For example, the computer device may be a terminal, or may be a server.

The foregoing describes in detail a data security protection method, apparatus, electronic device and storage medium provided in the embodiments of the present application, and specific examples are applied to illustrate principles and implementations of the present application, where the foregoing description of the embodiments is only used to help understand the method and core idea of the present application; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims

1. A method of data security protection, comprising:

when a data downloading instruction for first data sent by a first client is received, a first key for the first data and a key interface address of the first key are obtained from a key system; the key interface address of the first key comprises a unique data identifier of the first data, wherein the unique data identifier is generated by the key system;

encrypting the first data through the first key to obtain first encrypted data;

generating a corresponding first interface calling code according to the key interface address of the first key; the first interface calling code is used for indicating that when the electronic equipment for acquiring the secret key decrypts the first encrypted data, a corresponding secret key interface is called according to a secret key interface address of the first secret key so as to acquire the first secret key; the key interface is used for verifying the effective duration of the electronic device for acquiring the key and the first key, and when verification is successful, the key system returns the first key to the electronic device for acquiring the key;

2. The method according to claim 1, wherein the method further comprises:

acquiring second encrypted data from the second target encrypted data;

3. The method according to claim 2, wherein the calling the corresponding key interface according to the key interface address in the second interface calling code to obtain the second key required for decrypting the second encrypted data includes:

4. The method of claim 1, wherein the combining the first encrypted data with the first interface call code to obtain the first target encrypted data comprises:

5. The method of claim 1, wherein the combining the first encrypted data with the first interface call code to obtain the first target encrypted data comprises:

6. The method of claim 1, wherein the generating the corresponding first interface call code from the key interface address of the first key comprises:

7. The method of claim 1, wherein the obtaining the first key for the first data and the key interface address of the first key from the key system comprises:

Sending a key generation instruction to the key system;

and receiving a first key for the first data returned by the key system and a key interface address of the first key.

8. A data security device, the device comprising:

an obtaining unit, configured to obtain, from a key system, a first key for first data and a key interface address of the first key when a data download instruction for the first data sent by a first client is received; the key interface address of the first key comprises a unique data identifier of the first data, wherein the unique data identifier is generated by the key system;

the processing unit is further configured to generate a corresponding first interface call code according to a key interface address of the first key, where the first interface call code is configured to instruct, when the electronic device for obtaining a key decrypts the first encrypted data, to call a corresponding key interface according to the key interface address of the first key to obtain the first key; the key interface is used for verifying the effective duration of the electronic device for acquiring the key and the first key, and when verification is successful, the key system returns the first key to the electronic device for acquiring the key;

9. An electronic device comprising a processor, a memory, wherein the memory is configured to store a computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of any of claims 1-7.

10. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the method of any of claims 1-7.